villebro opened a new pull request, #112: URL: https://github.com/apache/superset-kubernetes-operator/pull/112
## Summary Renovate PR #110 bumped the `golang:1.26` builder to a digest published only 16 hours ago, despite our `minimumReleaseAge: "7 days"` policy. The cause is that `minimumReleaseAge` gates *version* updates, not *digest* updates — the floating `golang:1.26` tag had simply been re-pushed to point at the freshly released 1.26.4, so Renovate proposed the digest bump immediately with no soak. This pins the builder to a fully-qualified patch version (`golang:1.26.3`, the image we already run). Future Go upgrades now arrive as version updates subject to the 7-day soak — e.g. Renovate will re-propose 1.26.4 and hold it for a week rather than adopting it the day it ships. ## Details - `Dockerfile`: `golang:1.26` → `golang:1.26.3` (same digest, now explicit). - `docs/reference/security.md`: corrected the Supply Chain section, which previously implied a blanket 7-day age. It now scopes the soak to version updates and documents that digest refreshes of a floating tag (base-OS rebuilds, and the un-versionable `distroless/static:nonroot` runtime base) are applied without soak — an accepted, bounded residual risk. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
